Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- |
- \ / _\/_
- Industry check .-'-. //o\ _\/_
- -- / \ -- | /o\\
- ^^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^-=======-~^~~^^~~^~^~^~|~~^~^|^~`
- We don't talk to police |
- We don't make a peace bond
- The security scene is fucked. You have Dan Kaminsky lecturing you on how DNS
- poisoning will destroy life as we know it. You have Matasano harvesting talent
- and critiquing everyone, and then Ptacek can only announce the release of....a
- graphical firewall management client. There's kingcope killing bugs and
- dropping weaponized exploits while making no other contribution except putting
- a smile on the face of kiddies. There's iDefense and their competitors selling
- exploits and only doing research in how to make more exploits. There's Jeff
- Moss running a conference under the hideous misnomer "Blackhat Briefings" where
- the same researchers search for glory and present the same shit year after
- year. There are people who just live press release by press release. And on top
- of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry
- cares about virtualization one year and iPhones the next, every year forgetting
- the lessons it should have picked up in the last.
- If you are just someone looking to pay a fair price to not get owned, you find
- out quickly that none of these people exist to help you. Very few people in
- this industry have their income model based around actually making you more
- secure. At best, some of them have it based around convincing you that you are
- better off.
- The very concept of "penetration testing" is fundamentally flawed. The problem
- with it is that the penetration tester has a limited set of targets they're
- allowed to attack, while a real attacker can attack anything in order to gain
- access to the site/box. So if a site on a shared host is being tested, just
- because site1.com is "secure" that does NOT in anyway mean that the server is
- secure, because site2.com could easily be vulnerable to all sorts of simple
- attacks. The time constraint is another problem. A professional pentester with
- a week or two to spend on a client's network may or may not get into
- everything. A real dedicated hacker making the slog who spends a month of
- eight hour days WILL get into anything they target. You're lucky if it even
- takes him that long, really.
- Those things should all be very obvious, but whitehats still make the mistake
- of discounting them. Look at Mitnick. Every time he gets owned he blames his
- host or his DNS provider. If he's getting owned through them, that's still his
- fault. Choosing a host is a security decision, it's just like choosing a
- password. If you choose a weak one you expose yourself. It's still your fault.
- It's the same with outsourcing the development of your security-critical code.
- Mitnick could get someone else to make him a flashy website, and then blame
- them when it is full of file include vulnerabilities. People do this all the
- time, indirectly, by using ridiculous CMS or blog software. As an easy example,
- look at Wordpress. Even easier, look at Wordpress in 2007. Horrid. When
- considering Wordpress, a blackhat starts reading the PHP, shudders and giggles,
- and then laughs at the idea of ever using it on one of their servers. A
- whitehat never gets that far apparently, they just install it and get owned. I
- simply fail to see how leading security researchers run all kinds of code that
- is blatantly dangerous. Are they really that bad at reading code? Or do they
- just not care much if their passwords end up on Full Disclosure? If it's the
- second option, why is that? Why can these people make a living selling
- security when they make such bad choices? How do they maintain legitimacy? They
- take less responsibility for getting owned than do the people who they sell
- services to.
- There's a popular term for people who don't read code. We call them script
- kiddies.
- You cannot outsource blame. You HAVE to take responsibility for your mistakes,
- whether they are mistakes in your code, mistakes in code you are using,
- mistakes by your host, or mistakes in who you trust. These are all security
- choices. Learn to control this shit. Learn how to read code. A lot of the time
- it only takes a very shallow audit to realise that the code is crap and is
- bound to have bugs. In a smarter world, security professionals get paid to stop
- people from getting owned. End of. These is no limit to the scope of an audit.
- Are you professional types really this out of touch? I see all these papers
- about how to protect yourself from these super-fucking-advanced techniques and
- exploits that very few people can actually develop, and most hackers will NEVER
- USE. It's the simple stuff that works now, and will continue to work years into
- the future. Not only is it way easier to dev for simple mistakes, but they are
- easier to find and are more plentiful.
- The whole concept of full-disclosure has backfired. It will never work. It's
- some slashdot hippie pipe dream. Even you dumbass corporate types should
- recognize this. If you're constantly giving away all the vulnerabilites you
- find, for *FREE* mind you (and what other industry does that?), and the
- vulnerabilites get harder and harder to find and exploit, it will get harder
- and harder for you all to do your "job". Frankly, I'm surprised that the
- non-disclosure movement didn't start in the security industry in the first
- place. In a way it did, by default. With full-disclosure, the security
- industry is all about show and gloat, it is not about fixing anything. A lot of
- bugs have been fixed from it, but it comes with the price of an industry that
- likes to cripple itself. Projects run by teams of trained monkeys are always
- eager to add more bugs to replace those that have been fixed.
- We hate the industry because it is full of shit. There are so many trolls like
- Kaminsky who just desperately search for anything new, to get attention. So
- many talentless buffoons trying to scam the planet. A lot of the actual talent
- out there is severely misapplied. It's an industry tied to news and not
- results, because very few of you can even attain results. When you can't, who's
- the wiser? Your customers can hardly tell if you have really made them more
- secure or not. Sometimes there are superficial benefits, sometimes there
- aren't. How do you convince the customer that they are more ZF0-safe than
- before, if they were never targetted and probably never will be? And you all
- lack the legitimacy to really do the job you should anyways. We can only expose
- so many frauds, the rest of you can pretend you have changed something.
- Very few whitehats actually go out there and provide a service where they make
- people more secure. Not just for a day or a month. Are you genuinely fixing the
- underlying design and logic flaws that generate security problems for your
- clients or customers? If you actually clean up every exposed security flaw they
- have, will they still be "secure" in six months or a year?
- We could go on. Just in general, the industry is failing. Flat out failing.
- You cannot even protect yourselves.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement